19/07/2025, 21:29 OWASP Top 10

Hacksplaining Sign Up Log In

OWASP Top 10

Top 10 Web Application Security Risks

Each year OWASP (the Open Web Application Security Project) publishes the
top ten security vulnerabilities. It represents a broad consensus about the most
critical security risks to web applications.

Click through on the lessons below to learn more about how to protect against
each security risk.

1. Broken Access Control

Access control enforces policy such that users cannot act outside their intended
permissions. Failures typically lead to unauthorized information disclosure,
modification, or destruction of all data or performing a business function outside
the user's limits.

Broken Access Control Directory Traversal

https://www.hacksplaining.com/owasp 1/10
19/07/2025, 21:29 OWASP Top 10

All resources on your site need to have Ensure file paths are safely interpreted,
access control implemented, even if they or hackers can access sensitive files on
aren't intended to be discoverable by a your server.
Learn About This Vulnerability →
user. Learn About This Vulnerability →

Cross-Site Request Forgery

If an attacker can forge HTTP requests to
your site, they may be able to trick your
users into triggering unintended actions.

Learn About This Vulnerability →

2. Cryptographic Failures

Many web applications and APIs do not properly protect sensitive data with
strong encryption. Attackers may steal or modify such weakly protected data to
conduct credit card fraud, identity theft, or other crimes. Sensitive data must be
encrypted at rest and in transit, using a modern (and correctly configured)
encryption algorithm.

https://www.hacksplaining.com/owasp 2/10
19/07/2025, 21:29 OWASP Top 10

Unencrypted Communication
Insufficient encryption can make you
vulnerable to monster-in-the-middle
attacks.

Learn About This Vulnerability →

3. Injection

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query. The
attacker’s hostile data can trick the interpreter into executing unintended
commands or accessing data without proper authorization.

SQL Injection Command Execution

If you are vulnerable to SQL Injection, If your application calls out to the OS,
attackers can run arbitrary commands you need to be sure command strings are
against your database. securely constructed.

Learn About This Vulnerability → Learn About This Vulnerability →

4. Insecure Design
https://www.hacksplaining.com/owasp 3/10
19/07/2025, 21:29 OWASP Top 10

Pre-coding activities are critical for the design of secure software. The design
phase of your development lifecycle should gather security requirements and
model threats, and development time should be budgeted to allow for these
requirements to be met. As software changes, your team should test
assumptions and conditions for expected and failure flows, ensuring they are still
accurate and desirable. Failure to do so will let slip critical information to
attackers, and fail to anticipate novel attack vectors.

Insecure Design Information Leakage

Security begins before you start writing Revealing system information helps an
code. attacker learn about your tech stack.

Learn About This Vulnerability → Learn About This Vulnerability →

File Upload Vulnerabilities

https://www.hacksplaining.com/owasp 4/10
19/07/2025, 21:29 OWASP Top 10

File uploads are an easy way for an

attacker to inject malicious code into
your application.

Learn About This Vulnerability →

5. Security Misconfiguration

Your software is only as secure as you configure it to be. Using ad hoc

configuration standards can lead to default accounts being left in place, open
cloud storage, misconfigured HTTP headers, and verbose error messages
containing sensitive information. Not only must all operating systems,
frameworks, libraries, and applications be securely configured, but they must be
patched/upgraded in a timely fashion.

Lax Security Settings

Improper security settings are a common
cause of vulnerabilities.

Learn About This Vulnerability →

6. Vulnerable and Outdated Components

Components, such as libraries, frameworks, and other software modules, run

with the same privileges as the application. If a vulnerable component is
https://www.hacksplaining.com/owasp 5/10
19/07/2025, 21:29 OWASP Top 10

exploited, such an attack can facilitate serious data loss or server takeover.
Applications and APIs using components with known vulnerabilities may
undermine application defenses and enable various attacks and impacts.

Toxic Dependencies
Third-party libraries could be introducing
vulnerabilities or malicious code into your
system.

Learn About This Vulnerability →

7. Identification and Authentication Failures

Application functions related to authentication and session management are

often implemented incorrectly, allowing attackers to compromise passwords,
keys, or session tokens, or to exploit other implementation flaws to assume
other users’ identities temporarily or permanently.

https://www.hacksplaining.com/owasp 6/10
19/07/2025, 21:29 OWASP Top 10

Password Mismanagement Privilege Escalation

Safe treatment of passwords is essential Privilege escalation occurs when an
to a secure authentication system - yet attacker exploits a vulnerability to
many websites get this wrong. impersonate another user or gain extra
permissions.
Learn About This Vulnerability → Learn About This Vulnerability →

User Enumeration Session Fixation

Leaking username information on your Insecure treatment of session IDs can
site makes things much easier for leave your users vulnerable to having
hackers. their session hijacked.

Learn About This Vulnerability → Learn About This Vulnerability →

Weak Session IDs

https://www.hacksplaining.com/owasp 7/10
19/07/2025, 21:29 OWASP Top 10

Guessable session IDs make your website

vulnerable to session hijacking.

Learn About This Vulnerability →

8. Software and Data Integrity Failures

Software and data integrity failures relate to code and infrastructure that does
not protect against integrity violations. An example of this is where an
application relies upon plugins, libraries, or modules from untrusted sources,
repositories, and content delivery networks (CDNs). An insecure deployment
pipeline can introduce the potential for unauthorized access, malicious code, or
system compromise. Lastly, many applications now include auto-update
functionality, where updates are downloaded without sufficient integrity
verification and applied to the previously trusted application. Attackers could
potentially upload their own updates to be distributed and run on all
installations.

9. Security Logging and Monitoring Failures

Insufficient logging and monitoring, coupled with missing or ineffective

integration with incident response, allows attackers to further attack systems,
maintain persistence, pivot to more systems, and tamper, extract, or destroy
data. Most breach studies show time to detect a breach is over 200 days,
typically detected by external parties rather than internal processes or
monitoring.

https://www.hacksplaining.com/owasp 8/10
19/07/2025, 21:29 OWASP Top 10

Logging and Monitoring

Comprehensive logging and monitoring
will tell you what your site is doing at
runtime, which is key to spotting security
events
Learn About This Vulnerability →

10. Server-Side Request Forgery

Server-Side Request Forgery (SSRF) flaws occur whenever a web application

fetches a remote resource without validating the user-supplied URL. It allows an
attacker to coerce the application to send a crafted request to an unexpected
destination, even when protected by a firewall, VPN, or another type of network
access control list (ACL).

Server-Side Request Forgery

An attacker can use SSRF vulnerabilities
to probe your internal network

Learn About This Vulnerability →

https://www.hacksplaining.com/owasp 9/10
19/07/2025, 21:29 OWASP Top 10

Lessons Glossary Terms and Conditions Privacy Policy

© 2025 Hacksplaining Inc. All rights reserved. Questions? Email us at support@hacksplaining.com

https://www.hacksplaining.com/owasp 10/10